Results 1  10
of
14
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
Amortizing Garbled Circuits
 Advances in Cryptology – CRYPTO 2014
"... Abstract. We consider secure twoparty computation in a multipleexecution setting, where two parties wish to securely evaluate the same circuit multiple times. We design efficient garbledcircuitbased twoparty protocols secure against malicious adversaries. Recent works by Lindell (Crypto 2013) a ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider secure twoparty computation in a multipleexecution setting, where two parties wish to securely evaluate the same circuit multiple times. We design efficient garbledcircuitbased twoparty protocols secure against malicious adversaries. Recent works by Lindell (Crypto 2013) and HuangKatzEvans (Crypto 2013) have obtained optimal complexity for cutandchoose performed over garbled circuits in the single execution setting. We show that it is possible to obtain much lower amortized overhead for cutandchoose in the multipleexecution setting. Our efficiency improvements result from a novel way to combine a recent technique of Lindell (Crypto 2013) with LEGObased cutandchoose techniques (TCC 2009, Eurocrypt 2013). In concrete terms, for 40bit statistical security we obtain a 2 × improvement (per execution) in communication and computation for as few as 7 executions, and require only 8 garbled circuits (i.e., a 5 × improvement) per execution for as low as 3500 executions. Our results suggest the exciting possibility that secure twoparty computation in the malicious setting can be less than an order of magnitude more expensive than in the semihonest setting. 1
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
Garbled RAM From OneWay Functions
"... Yao’s garbled circuit construction is a fundamental construction in cryptography and recent efficiency optimizations have brought it much closer to practice. However these constructions work only for circuits and garbling a RAM program involves the inefficient process of first converting it into a ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Yao’s garbled circuit construction is a fundamental construction in cryptography and recent efficiency optimizations have brought it much closer to practice. However these constructions work only for circuits and garbling a RAM program involves the inefficient process of first converting it into a circuit. Towards the goal of avoiding this inefficiency, Lu and Ostrovsky (Eurocrypt 2013) introduced the notion of “garbled RAM ” as a method to garble RAM programs directly. It can be seen as a RAM analogue of Yao’s garbled circuits such that, the size of the garbled program and the time it takes to create and evaluate it, is proportional only to the running time on the RAM program rather than its circuit size. Known realizations of this primitive, either need to rely on strong computational assumptions or do not achieve the aforementioned efficiency (Gentry, Halevi, Lu, Ostrovsky, Raykova and Wichs, EUROCRYPT 2014). In this paper we provide the first construction with strictly polylogarithmic overhead in both space and time based only on the minimal and necessary assumption that oneway functions exist. Our scheme allows for garbling multiple programs being executed on a persistent database, and has the additional feature that the program garbling is decoupled from the database garbling. This allows a client to provide multiple garbled programs to the server as part of a preprocessing phase and then later determine the order and the inputs on which these programs are to be executed, doing work independent of the running times of the programs itself.
On the Communication Complexity of Secure Function Evaluation with Long Output
"... We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input xA, Bob has an input xB and we want Bob to learn some function y = f(xA, xB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encry ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input xA, Bob has an input xB and we want Bob to learn some function y = f(xA, xB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encrypted database and we want Bob to learn the decrypted data without learning anything else about Alice’s key. In a trivial insecure protocol, Alice can just send her short input xA to Bob. However, all known SFE protocols have communication complexity that scales with size of the output y, which can potentially be much larger. Is such “outputsize dependence ” inherent in SFE? Surprisingly, we show that outputsize dependence can be avoided in the honestbutcurious setting. In particular, using indistinguishability obfuscation (iO) and fully homomorphic encryption (FHE), we construct the first honestbutcurious SFE protocol whose communication complexity only scales with that of the best insecure protocol for evaluating the desired function, independent of the output size. Our construction relies on a novel way of using iO via a new tool that we call a “somewhere statistically binding (SSB) hash”, and which may be of independent interest. On the negative side, we show that outputsize dependence is inherent in the fully malicious setting, or even already in an honestbutdeterministic setting, where the corrupted party follows the protocol as specified but fixes its random tape to some deterministic value. Moreover, we show that even in an offline/online protocol, the communication of the online phase must have outputsize dependence. This negative result uses an incompressibility argument and it generalizes several recent lower bounds for functional encryption and (reusable) garbled circuits, which follow as simple corollaries of our general theorem. 1
Indistinguishability Obfuscation and UCEs: The Case of Computationally Unpredictable Sources
"... Abstract. Random oracles are powerful cryptographic objects. They facilitate the security proofs of an impressive number of practical cryptosystems ranging from KDMsecure and deterministic encryption to pointfunction obfuscation and many more. However, due to an uninstantiability result of Canetti ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Random oracles are powerful cryptographic objects. They facilitate the security proofs of an impressive number of practical cryptosystems ranging from KDMsecure and deterministic encryption to pointfunction obfuscation and many more. However, due to an uninstantiability result of Canetti, Goldreich, and Halevi (STOC 1998) random oracles have become somewhat controversial. Recently, Bellare, Hoang, and Keelveedhi (BHK; CRYPTO 2013 and ePrint 2013/424, August 2013) introduced a new abstraction called Universal Computational Extractors (UCEs), and showed that they suffice to securely replace random oracles in a number of prominent applications, including all those mentioned above, without suffering from the aforementioned uninstantiability result. This, however, leaves open the question of constructing UCEs in the standard model. We show that the existence of indistinguishability obfuscation (iO) implies (nonblackbox) attacks on all the definitions that BHK proposed within their UCE framework in the original version of their paper, in the sense that no concrete hash function can satisfy them. We also show that this limitation can be overcome, to some extent, by restraining the class of admissible adversaries via a statistical notion of unpredictability. Following our attack, BHK (ePrint 2013/424, September 2013), independently adopted this approach in their work.
NonInteractive Secure Multiparty Computation∗
, 2014
"... We introduce and study the notion of noninteractive secure multiparty computation (NIMPC). An NIMPC protocol for a function f(x1,..., xn) is specified by a joint probability distribution R = (R1,..., Rn) and local encoding functions Enci(xi, Ri), 1 ≤ i ≤ n. Given correlated randomness (R1,..., Rn) ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We introduce and study the notion of noninteractive secure multiparty computation (NIMPC). An NIMPC protocol for a function f(x1,..., xn) is specified by a joint probability distribution R = (R1,..., Rn) and local encoding functions Enci(xi, Ri), 1 ≤ i ≤ n. Given correlated randomness (R1,..., Rn) ∈R R, each party Pi, using its input xi and its randomness Ri, computes the message mi = Enci(xi, Ri). The messagesm1,...,mn can be used to decode f(x1,..., xn). For a set T ⊆ [n], the protocol is said to be Trobust if revealing the messages (Enci(xi, Ri))i 6∈T together with the randomness (Ri)i∈T gives the same information about (xi)i 6∈T as an oracle access to the function f restricted to these input values. Namely, a coalition T can learn no more than the restriction of f fixing the inputs of uncorrupted parties, which, in this noninteractive setting, one cannot hope to hide. For 0 ≤ t ≤ n, the protocol is trobust if it is Trobust for every T of size at most t and it is fully robust if it is nrobust. A 0robust NIMPC protocol for f coincides with a protocol in the private simultaneous messages model of Feige et al. (STOC 1994). In the setting of computational (indistinguishabilitybased) security, fully robust NIMPC is implied by multiinput functional encryption, a notion that was recently introduced by Goldwasser et al. (Euro
How to Compress (Reusable) Garbled Circuits
, 2013
"... A fundamental question about (reusable) circuit garbling schemes is: how small can the garbled circuit be? Our main result is a reusable garbling scheme which produces garbled circuits that are the same size as the original circuit plus an additive poly(λ) bits, where λ is the security parameter. Sa ..."
Abstract
 Add to MetaCart
(Show Context)
A fundamental question about (reusable) circuit garbling schemes is: how small can the garbled circuit be? Our main result is a reusable garbling scheme which produces garbled circuits that are the same size as the original circuit plus an additive poly(λ) bits, where λ is the security parameter. Save the additive poly(λ) factor, this is the best one could hope for. In contrast, all previous constructions of even singleuse garbled circuits incurred a multiplicative poly(λ) blowup. Our techniques result in constructions of attributebased and (single key secure) functional encryption schemes where the secret key of a circuit C consists of C itself, plus poly(λ) additional bits. All of these constructions are based on the subexponential hardness of the learning with errors problem. We also study the dual question of how short the garbled inputs can be, relative to the original input. We demonstrate a (different) reusable circuit garbling scheme, based on multilinear maps, where the size of the garbled input is the same as that of the original input, plus a poly(λ) factor. This improves on the result of Applebaum, Ishai, Kushilevitz and Waters (CRYPTO 2013) who showed such a result for singleuse garbling. Similar to the above, this also results in attributebased and (single key secure) functional encryption schemes where the size of the ciphertext encrypting an input x is the same as that of x, plus poly(λ) additional bits.
Functional Encryption for Turing Machines
"... In this work, we construct an adaptively secure functional encryption for Turing machines scheme, based on indistinguishability obfuscation for circuits. Our work places no restrictions on the types of Turing machines that can be associated with each secret key, in the sense that the Turing machines ..."
Abstract
 Add to MetaCart
In this work, we construct an adaptively secure functional encryption for Turing machines scheme, based on indistinguishability obfuscation for circuits. Our work places no restrictions on the types of Turing machines that can be associated with each secret key, in the sense that the Turing machines can accept inputs of unbounded length, and there is no limit to the description size or the space complexity of the Turing machines. Prior to our work, only special cases of this result were known, or stronger assumptions were required. More specifically, previous work (implicitly) achieved selectively secure FE for Turing machines with apriori bounded input based on indistinguishability obfuscation (STOC 2015), or achieved FE for general Turing machines only based on knowledgetype assumptions such as publiccoin differinginputs obfuscation (TCC 2015). A consequence of our result is the first constructions of succinct adaptively secure garbling schemes (even for circuits) in the standard model. Prior succinct garbling schemes (even for circuits) were only known to be adaptively secure in the random oracle model.
Compact Reusable Garbled Circuits
, 2014
"... Garbled circuits are integral to secure function evaluation. A garbled circuit C ̂ for a circuit C enables a user to compute C(x) and nothing more about C or x, when given an encoding x ̂ for the input x. Earlier, garbling schemes produced only singleuse garbled circuits which did not offer securit ..."
Abstract
 Add to MetaCart
Garbled circuits are integral to secure function evaluation. A garbled circuit C ̂ for a circuit C enables a user to compute C(x) and nothing more about C or x, when given an encoding x ̂ for the input x. Earlier, garbling schemes produced only singleuse garbled circuits which did not offer security when used to evaluate more than one input encoding. Very recently, the first reusable version of garbled circuits was constructed by Goldwasser et al. (STOC 2013), which allowed a garbled circuit to evaluate multiple input encodings. But, all these constructions of garbled circuits, including the singleuse ones, incur a multiplicative blowup in size i.e the size of the garbled circuit is C  · poly(λ) for some security parameter λ. Hence, a fundamental question about (reusable) garbled circuits is: How small can a garbled circuit be? The main result of this thesis is a garbling scheme which produces (reusable) garbled circuits with just an additive overhead in size i.e with size C+poly(λ, dmax). Here dmax is the maximum depth of circuits which the garbling scheme can handle. Modulo the additive poly(λ, dmax) factor which is independent of the size of the circuit, this is the best that one could hope for. The main technical ingredient of our work is a “fully ” keyhomomorphic encryption scheme; an object that we define and construct based on learning with errors (LWE) assumption. A fully keyhomomorphic